Eric Partington

SSL and NetWitness Part Deux - CA oopsie ?

Blog Post created by Eric Partington Employee on Sep 5, 2016

Seems there is a possibility that a CA gave away duplicate certs for a GitHub domain

 

http://thehackernews.com/2016/08/github-ssl-certificate.html

 

Could SA NetWitness help locate if any Certificates were signed by the potentially offending CA and see if this could impact your organization ?

 

Let's see ...

 

Using this post to enable full indexing on the appropriate ssl.* metakeys you could search for the CA name (in this case WoSign)

https://community.rsa.com/community/products/netwitness/blog/2016/08/30/ssl-and-netwitness

 

ssl.ca = WoSign

or if the CA name isnt exactly WoSign we could use this query to locate similar names and then tune the drill approriately

ssl.ca contains 'WoSign'

 

Then you could see all the domains (alias.host) that the certificate was used as part of the communication and see if you might be affected.  You might also want to focus on outbound traffic (your users connecting to a GitHub domain with a cert signed by WoSign could be something to investigate)

 

From what I can see with my browser, Digicert should be the CA for GitHub

digicert ca

 

Taking this one step further, I also found there was a new function that has been spun up to track how many certs have been created for each domain.  Why not create a Context Menu plugin for RSA NW to query one of these certificate transparency sites so that analysts could get additional details about the domain and certs without sharepoint + copy + paste +copy + paste

 

https://www.google.com/transparencyreport/https/ct/#domain=www.mozilla.org&incl_exp=true&incl_sub=true

 

So here is the context menu item that functions on the ssl.ca, ssl.subject and alias.host metakeys

 

certificate transparency

 

{
    "displayName": "Google SSL Cert Transparency Check",
    "cssClasses": [
        "ssl.ca",
        "ssl-ca",
        "ssl.subject",
        "ssl-subject",
        "alias.host",
        "alias-host"
    ],
    "description": "",
    "type": "UAP.common.contextmenu.actions.URLContextAction",
    "version": "1",
    "modules": [
        "investigation"
    ],
    "local": "false",
    "groupName": "externalLookupGroup",
    "urlFormat": "https://www.google.com/transparencyreport/https/ct/#domain={0}&incl_exp=true&incl_sub=true",
    "disabled": "",
    "id": "GoogleSSLCERTCHECK",
    "moduleClasses": [
        "UAP.investigation.navigate.view.NavigationPanel",
        "UAP.investigation.events.view.EventGrid"
    ],
    "openInNewTab": "true",
    "order": ""
}

Outcomes